09-11-2019 03:57 PM - edited 02-21-2020 09:29 AM
Does anyone know how the "Blacklist IP Now" feature in Connection Events should work. It seems to add the IP address to the "Global Blacklist" but I still see future connections from that IP being allowed.
In the image below, 222.186.52.78 has been blacklisted.
09-11-2019 08:17 PM
hi,
You can Blacklist a Destination IP address (Responder IP) by doing a right-click on the specific IP > Blacklist IP Now.
see helpful link:
http://wannabecybersecurity.blogspot.com/2019/06/configuring-cisco-fmc-security.html
You can verify the added Blacklist IP by going again to Objects > Security Intelligence > Network Lists and Feed > Global-Blacklist > edit (pencil icon).
09-12-2019 09:53 AM
Thanks John-
What I am trying to do is Blacklist the Initiator IP.
The FMC will allow me to select the initiator address and select Blacklist Now and it indeed gets successfully added to the Global Blacklist but future connections from that blacklisted address are still allowed based on the Connection Events log
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: